ECA Hardware Certificate Renewal

You’ve arrived at this page because you have a hardware-based ECA Certificate expiring soon and can’t renew it because of restrictions set by the Department of Defense’s ECA Certificate Policy. Choose your current certificate type below to find out how to request a new certificate to replace the expiring one.

I have ECA Medium-Token Assurance Certificates

In its ECA Certificate Policy, the DoD requires you to make new certificate requests and have your identity verified, in person, every third certificate or every nine years (whichever comes first). That means you aren’t eligible to renew online if you have already used our online renewal process twice since the last time you had identity verification performed by a Trusted Agent (including ORC Registration Authorities, ORC-trained Local Registration Authorities, notaries public, etc.).

Instead of renewing online, you’ll need to make new certificates requests. This may require you to purchase new hardware, because of the size limitations of your current hardware. Each hardware device (whether a USB token or a smart card) has room for three full certificates. You most likely have at least two full certificates already. Choose the option below that works best in your situation:

  • Delete your current encryption certificate: If you have NEVER used your current encryption certificate to decrypt any encrypted emails that were sent to you, you can delete your existing encryption certificate to make room on your hardware device. CAUTION: Once you delete your encryption certificate, you will NOT be able to restore it to your device, and you will NOT be able to open any emails that were sent to you encrypted using that certificate. Be CERTAIN that you don’t need this certificate before you delete it! After deleting the encryption certificate, you can make your new certificate requests here: http://eca.orc.com/token-identity-encryption-certificates/
  • Request a new identity certificate only: If you never use your encryption certificate and don’t foresee a need to use it in the near future, you can request a new identity certificate only, which means you only need room on your hardware device for one certificate. The identity certificate is what gets you into government websites (such as JPAS). The encryption certificate is only used for decrypting encrypted emails that you’ve received. To make your new requests, begin here. After you have printed your identity certificate request form, you don’t need to continue to the encryption certificate request. We can assist you in deleting your current identity certificate after it expires (as there will be no need to keep it) and, if you choose, help you request a new encryption certificate.
  • Purchase new hardware: If you need to keep your current encryption certificate AND you want to request a new one, then there won’t be enough room on your hardware device for both of your new certificates. Review the pricing for Hardware and Software Supplies on our pricing page, then contact pkihelp@orc.com to place your order.

Important note: No matter which option you choose above, you’ll be generating a new certificate request form and visiting a Trusted Agent to have your identity verified. Once you’ve done so, you MUST send a completed request package to our Fairfax, VA office by the carrier of your choice (ex. US Mail, FedEx, UPS). A fax or email will NOT be accepted. A completed request package includes:

  • Your original, signed, notarized certificate request forms. No photocopies of this document will be accepted.
  • A copy of your two photo IDs
  • A copy of your proof of citizenship
  • A copy of your proof of affiliation

For additional information and a list of example documents, please visit http://eca.orc.com/verification/.

I have ECA Medium-Hardware Assurance Certificates

In its ECA Certificate Policy, the DoD requires you to make new certificate requests and have your identity verified, in person, every third certificate or every three years (whichever comes first). That means you aren’t eligible to renew online if:

  • You have already used our online renewal process twice since the last time you had identity verification performed by an ORC Registration Authority (ORC RA) or ORC-trained LRA (LRA); or
  • Your current certificate (the one that’s expiring) has a three-year validity period.

Instead of renewing online, you’ll need to make a new certificate request in the presence of an ORC RA or an LRA. ORC RAs are available by appointment only at the following locations: DC area (Fairfax, VA).

Schedule Appointment

Your organization may have an LRA who can take you through the request process and perform your identity verification. If you already know who your organization’s LRA is, contact them to arrange a time and date to make your request. If you don’t know whether or not your organization has an LRA, check with your supervisor or manager to find out.

 

If you have questions about any of the information on this page, please contact our help desk using our online customer service request form or by email at ecahelp@orc.com.